Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links.

We also use some non-essential cookies to anonymously track visitors or enhance your experience of the site.

To control third party cookies, you can also adjust your browser settings.

APPS

SERVICES

French hacker cracks into Twitter exposing millions of accounts to danger

May 01, 2009
Sophos Press Release

IT security and control firm Sophos is advising that Twitter
hardens its security as a French hacker claims he broke into
Twitter's internal administration system, enabling him to access
the accounts of millions of Twitter users - including Barack Obama,
Britney Spears, Ashton Kutcher and Lily Allen.

The hacker - known as 'Hacker Croll' - claims that he was able
to access Twitter's internal administration system after stealing a
password from a staffer at the micro-blogging website. It is
alleged that by resetting the employee's Yahoo password after
guessing his 'secret question', Hacker Croll found the information
about the staffer's Twitter login credentials.

Claims appear to be confirmed by screenshot images uploaded to a
French blog, which give a glimpse into the micro-blogging site's
admin panel revealing that the likes of Kutcher and Allen have
blocked other Twitter users, such as celebrity gossipmonger Perez
Hilton, from contacting them. Amongst the private information
accessible was the email addresses of compromised accounts, mobile
phone numbers (if one was associated with the account), and the
list of accounts blocked by the affected user.

"This is just the latest in a string of security issues at
Twitter in recent months, and the website is surely in danger of
losing the confidence of its users who will be rattled by yet
another breach," said Graham
Cluley, senior technology consultant at Sophos. "Just like with
the recent Twitter worm outbreaks, this is not so much a case of
Twitter raising awareness amongst its many users about sensible
online security, but learning a few lessons itself. Careless
security by the micro-blogging site could potentially put millions
of Twitter users at risk."

Sophos advises that Twitter's internal security could be
improved if staff were forced to log in using authentication tokens
that provide a randomly generated key upon login, meaning that even
if a staffer's username and password is compromised hackers would
not be able to gain access.

"If a Twitter employee loses their password, it seems hackers
can run riot on the site and cause all sorts of problems. By making
staff adopt the kind of hardware authentication keys that many
online banking customers now need to use to login online, Twitter
would make it far less likely that an attack like this could
succeed," explained Cluley. "Let's not forget, although many will
blame Twitter for not ensuring that its staff followed sensible
policies to better secure critical administrator accounts, the real
criminal here is Hacker Croll."

About Sophos

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.